automated verification with hip and sleek

Automated Verification withHIP and SLEEK

Asankhaya Sharma

Recall the List length Example

int length(struct node* p)/*@requires p::list<n,B>ensures p::list<n,B> & res=n;*/{ if(p == NULL) return 0; else return 1 + length(p->next);}

Memory Safety

Length of the List

Bag of Values

With Inference

int length(struct node* p)/*@infer [H,G]requires H(p)ensures G(p);*/{ if(p == NULL) return 0; else return 1 + length(p->next);}

Second Order Variables for Unknown Predicates

Modular Shape Inference

Relational Assumptions

// Post (1)H(p) & x = null => G(p)// Bind (2)H(p) & x != null => x::node<_,q> * HP(q)// Pre-Rec (3)HP(q) => H(p)//Post (4)x::node<_,q> * G(q) => G(p)

Predicate Derivation

For Pre ConditionH(p) == emp & p = null

or p::node<_,q> * H(q)

For Post ConditionG(p) == emp * p = null

or p::node<_,q> * G(q)

Linked List Predicate Inferred

Automatically

Bi-Abduction

1 4 2 R3

antecedent consequent residue

Compositional shape analysis by means of bi-abduction Calcagno C, Distefano D, O'Hearn P W and Yang HPOPL 2009

Achievement : Scalable automated shape analysis!

precondition

Incremental Specification• Formal specs are important for verification

and documentation.• Tedious for legacy system and maintenance

efforts.• Users role to guide inference process• Our thesis : Specification can be developed

incrementally and when needed.

Inference Exampleinfer [x,Q3]requires x::lln1 y::lln2 ensures x::lln3 & Q3(n1,n2,n3)

requires x::lln1 y::lln2 & x nullensures x::lln3 & n1+n2=n3

Inference Exampleinfer [R]requires x::lln1 y::lln2 & n null & Term[R(n1, n2)]

ensures x::lln3 & n1+n2=n3

requires x::lln1 y::lln2 & n null & Term[n1]

ensures x::lln3 & n1+n2=n3

Selective Entailment

[v*] 1 4 2 3 dantecedent consequent residue

precondition

definitions

Key Principles• Selective Inference• Inferable Heap Locations• Never Inferring False • Antecedent Contradiction• Unknown Relation/Function Derivation

Selective Inference[x] x::lln

x::node<_,q>

[n] x::lln

x::node<_,q>

x null

q:: lln-1

q:: lln-1n > 0

Selective Inference[x] x::lln

x::node<_,null>

[n] x::lln

x::node<_,null>

FAIL

empn=1

Inferring Heap Locations• Heap state may be inferred

[x] emp

x::node<_,null> x ::node<_,null>

Allows predicates to be inferredAllows cascaded heaps by adding auxiliary variables

emp

Never Inferring False[x] true

x>x

[x] true x::node<_,_> x::node<_,_>

FAIL

FAIL

Antecedent Contradiction• What if contradiction detected between 1

and 2 ?[v*] 1

2

Add pre over v* to support contradicted antecedent.

Antecedent Contradiction[b] x=1 & b>0

x=2 b0

false

[x] x=null

x::node<_,q> x null

false

Selective Inference[Q] x::node(_,y) y::lln2 & n1=1

x::lln3 & Q(n1 ,n2, n3)

[Q] x::node(_,y) y::lln2 & Q(n1-1,n2,n3) x::lln3 & Q(n1 ,n2, n3)

n1=1 & n3= n2+1 Q(n1,n2,n3)

n3= n2+1 & n1>0 & Q(n1-1,n2,n3) Q(n1,n2,n3)

FixPoint Calculationn1=1 & n3= n2+1Q(n1,n2,n3)

n3= n2+1 & n1>0 & Q(n1-1,n2,n3) Q(n1,n2,n3)

n1>0 & n2 0 & n3= n2+ n2 Q(n1,n2,n3)

Inferring Heap Locations• Auxiliary variables may be added

[x] emp

x::node<_,q> q::node<_,null>

[x, x1] emp

x::node<_,q> q::node<_,null> x ::node<_,x1> x1::node<_,null> & x1=q

[x, x1] emp

x::node<_,q> q::node<_,null> x ::node<_,x1> & x1=q

Inferring Unknown Relations• Two kinds of relationships inferred

R(..) c

Relational Obligation:

R(..) & c R(…)

Relational Definition:

Further Reading

• Trinh, Minh-Thai, Quang Loc Le, Cristina David, and Wei-Ngan Chin. "Bi-Abduction with Pure Properties for Specification Inference." In Programming Languages and Systems, pp. 107-123. Springer International Publishing, 2013.